Photo illustration: Monika Kozak/ALM, Shutterstock

Consider this scenario: A company receives a subpoena for documents from the U.S. government or a U.S.-based regulator, but is concerned because some of its documents are hosted on a server in a foreign country with restrictive personal data protections. How should attorneys advise this company to comply with the subpoena without violating foreign data privacy laws?

Any person in this situation must understand the potential conflicts between the broad extraterritorial discovery sanctioned by U.S. courts, and the strict limitations on the processing and transferring of personal data in the European Union (EU) and other foreign countries. For example, the EU's General Data Protection Regulation (GDPR) governs, and severely restricts, the collection and disclosure of personal data in the 28 EU member states, plus Iceland, Norway, and Liechtenstein. (The GDPR broadly defines "personal data" as "any information relating to an identified or identifiable natural person." GDPR, Regulation (EU) 2016/679, Article 4:1.)

This article discusses various considerations on how to respond to such subpoenas, including: (1) negotiating with the party issuing the subpoena or document request to narrow the scope of the requests; (2) determining if the same information can be obtained through means that do not implicate foreign data privacy concerns; (3) consulting with local counsel in the country where the data is located to more fully understand the obligations; (4) seeking U.S. court intervention; and (5) taking all reasonable steps to limit and protect data productions.

Case Law on Conflict Between U.S. Discovery and Foreign Data Protections

U.S. courts typically rule in favor of the broad discovery sanctioned by the Federal Rules of Civil Procedure (FRCP), rather than the limitations on production set by foreign data privacy laws. See, e.g., Royal Park Investments SA/NV v. HSBC Bank USA, N.A., No. 14 CIV. 8175 (LGS), 2018 WL 745994, at *2 (S.D.N.Y. Feb. 6, 2018) (overruling Royal Park's objections to producing unredacted documents based on the Belgian Data Privacy Act, finding "that the comity analysis weighs in favor" of compelling production); Knight Capital Partners v. Henkel Ag & Co., KGaA, 290 F. Supp. 3d 681, 687 (E.D. Mich. 2017) ("the German Federal Data Protection Act does not bar the defendant from disclosing email communications and other business records included in the plaintiff's discovery requests, principally because the Act contains an express exception to the broad prohibitions on personal data disclosure."). In Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987), the Supreme Court noted that "[i]t is well settled that [foreign blocking] statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute."

The Supreme Court listed factors relevant to a court's case-by-case determination of whether to order discovery despite conflict with foreign laws, including "(1) the importance to the … litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; and (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located." Id. at 544, n.28. Lower courts applying the Supreme Court's guidance have held that this list of factors is not exhaustive. See, e.g., Gucci Am. v. Curveal Fashion, No. 09 CIV. 8458 RJS/THK, 2010 WL 808639, at *2 (S.D.N.Y. March 8, 2010) ("courts in the Second Circuit may also consider the hardship of compliance on the party or witness from whom discovery is sought [and] the good faith of the party resisting discovery") (internal citations omitted)

In Laydon v. Mizuho Bank, Ltd., defendants objected to plaintiff's document requests, claiming compliance would risk violation of the UK's Data Protection Act (DPA). 183 F. Supp. 3d 409, 413 (S.D.N.Y. 2016). The DPA is the UK's codification of the EU's predecessor directive to the GDPR, and serves to protect the rights of individuals with respect to the processing of personal data. Id. at 414. The court analyzed the Aerospatiale factors, finding most weighed in plaintiff's favor, including that the discovery sought "relates directly to plaintiff's claims" and was sufficiently specific. Id. at 420-21. Noting that the balancing of national interests is "the most important" factor, the court pointed to the UK Serious Fraud Office's statement that it had no objection to the production of the materials, and found that "the UK's interest in protecting the privacy of its citizens is mitigated by the protective order in place in this case, which permits [] Defendants to designate disclosed materials as 'Highly Confidential.'" Id. at 425. The court was also persuaded by defendants' inability to point to a single example of a UK enforcement action for violation of the DPA by complying with U.S. discovery. Id.

Practice Tips

Knowing that U.S. courts are likely to grant broad extraterritorial discovery, respondents should take certain steps throughout the process to minimize conflicts. Counsel should work with their clients to understand if the same data exists on U.S. servers or databases. Attorneys should come prepared to the initial negotiations with the requesting party with an understanding of where client documents are stored, and any potential conflicts with foreign data protections.

A lot of ground can be gained through negotiations with opposing counsel. The requesting party may agree to accept anonymized or aggregated personal data, which could mitigate concerns about identifying individuals. The requesting party may also consent to the same information being obtained through discovery mechanisms that do not implicate foreign data privacy laws, such as: (1) interrogatory responses; (2) requests for admission responses; (3) providing affidavits; (4) stipulating to facts; or (5) offering a FRCP 30(b)(6) corporate designee witness for deposition.

If the discovery dispute cannot be resolved through negotiations, court intervention may be necessary. In opposing a motion to compel the production of documents, attorneys should consult with local counsel in the country where the client's data is located in order to more fully understand the obligations and risks of violation. Foreign experts may need to submit affidavits or testimony to explain the applicable data protection laws, and describe the risk of enforcement. (FRCP 44.1 provides that "[i]n determining foreign law, the court may consider any relevant material or source, including testimony, whether or not submitted by a party or admissible under the Federal Rules of Evidence." Courts will look to determine whether the plain language of the foreign statute is clear. See Knight Capital Partners v. Henkel Ag & Co., KGaA, 290 F. Supp. 3d 681, 687 (E.D. Mich. 2017) ("[w]hen construing a foreign statute, the Court certainly must presume that the most pertinent and authoritative source on the scope and import of any foreign law is the plain language of the statute itself.").) Many foreign data privacy laws have exceptions that provide for the disclosure of personal information, such as in a litigation or for the defense of a legal claim, or if the data subject provides consent. In AccessData v. ALSTE Techs. GmbH, the court found that the party resisting discovery failed to demonstrate how the legal claims or consent exceptions did not apply, and ordered the production of documents. No. 2:08CV569, 2010 WL 318477, at *2 (D. Utah Jan. 21, 2010). Foreign experts' testimony can also be used to demonstrate why statutory exceptions to production do not apply.

Attorneys should consider that U.S. courts may not recognize the foreign data privacy protections, and nevertheless compel the production of documents. Steps should be taken to limit and protect such data productions, including entering into a robust confidentiality and protective order. See, e.g., Phoenix Process Equip. Co. v. Capital Equip. & Trading, No. 3:16CV-00024-RGJ-RSE, 2019 WL 1261352, at *15 (W.D. Ky. March 19, 2019) (finding U.S. interests outweigh those of Russia, where documents located, because parties' confidentiality agreement "protects any proprietary and commercially valuable information disclosed in this lawsuit, which should alleviate concerns of this information falling into the public or any non-parties' hands."). While production of documents may ultimately be compelled, the company must do everything in its power to ensure its own compliance with foreign data privacy rules.

Conclusion

Companies who do business in the United States and have documents located abroad must understand the potential conflicts between the broad extraterritorial discovery authorized by U.S. courts, and the major restrictions on the transferring of personal data in many foreign countries. Counsel and their clients can work to minimize these conflicts while complying with their legal obligations.

Gregory Baker and Rachel Maimin are partners, Kathleen McGee and Alexandra Droz are counsel, at Lowenstein Sandler.